[RISKS] Risks Digest 24.38

From: RISKS List Owner (risko@private)
Date: Fri Aug 18 2006 - 15:46:14 PDT


RISKS-LIST: Risks-Forum Digest  Friday 18 August 2006  Volume 24 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.38.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
RFID car keys and insurance (Joshua Levy)
Anti-hijack software: what a great idea! (Nickee Sanders)
Bit bucket swallows 17 million AU dollars (Rodney Polkinghorne)
Sober Warnings About e-Voting Systems (Eric Sinrod via TechNews)
The FBI's Upgrade That Wasn't (Eggen and Witte)
Your Cable Company -- powered by the guy with the extension cord
  (Lauren Weinstein)
UK bank details sold in Nigeria  (Amos Shapir)
Another auditor's laptop stolen (Neil Youngman)
First conviction in UK for Wi-Fi hijack (Peter Mellor)
Can't type? Your Dell laptop battery must be OK! (Dan Miller)
Re: 3.1 million HSBC (Thor Lancelot Simon)
Re: LA power outages (Scott Peterson)
Re: Letter on cybersecurity from the president (Nick Simicich)
REVIEW: "Risk Management Solutions ... Compliance, Quarterman (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 14 Aug 2006 09:46:30 -0700
From: Joshua Levy <levy@private>
Subject: RFID car keys and insurance

  [Source: Brad Stone, Pinch My Ride, *WiReD News*; PGN-ed]
http://www.wired.com/wired/archive/14.08/carkey_pr.html

To make a long story short, Emad Wassef had his Lincoln Navigator stolen
from a Target parking lot in Orange County, California.  He reported the
theft to police and his insurance company.  Two weeks later the SUV turned
up near the Mexican boarder, stripped.  His insurance company (Unitrin
Direct) claimed the transponder antitheft system is absolutely nonspoofable.
Brad Stone (the author of the article) himself had had a similar experience
two years before, which he had written up for *Newsweeek* in 2004, which led
to many letters reporting similar thefts.  Brad suggests various
possibilities.  Cloned key?  Masquerader requesting a duplicate for an
observed vehicle identification number?  He also discovered there is an
emergency override known to insiders, involving a particular nongeneric
sequence of mechanical actions.  The moral of this story is that if you
believe your transponder makes you more secure and less likely to get
stiffed by your insurance company, forget about it.

------------------------------

Date: Fri, 18 Aug 2006 18:15:10 +1200
From: Nickee Sanders <njsanders@private>
Subject: Anti-hijack software: what a great idea!

A joint European effort is working on software that would enable remote
control of an aircraft that could override any attempts by hijackers to
control the plane, and force a safe landing.  "The system would be designed
in such a way that even a computer hacker on board could not get round it."
If successful, it would resolve various debates such as those going on in
Germany about shooting down hijacked commercial airliners.  The project is
budgeted for 36m Euros.   [Source: Yahoo News, 22 Jul 2006; PGN-ed]
http://news.yahoo.com/news?tmpl=story&cid=1509&e=10&u=/afp/20060722/tc_afp/germanyeuunrest

If only it were April Fools' Day...
Nickee Sanders, Software Engineer, Auckland, New Zealand

  [Ah, perfect security at long last!  How reassuring to RISKS readers. PGN]

------------------------------

Date: Tue, 15 Aug 2006 14:49:28 +1000
From: Rodney Polkinghorne <rodneyp@private>
Subject: Bit bucket swallows 17 million AU dollars

Today's issue of *The Australian* has two stories about a new accounting
system that Australian Pharmaceutical Industries installed when it outgrew
Excel.  The one in the IT section [1] features the company's information
management leader congratulating himself on how quickly he got the new
system got up and running.

The one in the business section [2] reports that the company's shares have
been suspended from trading because the new books don't balance, and no one
knows whether the company made 20 or 40 million Australian dollars last
year.

[1] "Finding the right modelling tool", The Australian, 15th August 2006,
  <http://australianit.news.com.au/articles/
  0,7204,20098218%5E24170%5E%5Enbv%5E24169,00.html>
[2] "API mystified by missing millions", The Australian, 15th August 2006,
  <http://www.theaustralian.news.com.au/story/0,20867,20129112-643,00.html>

------------------------------

Date: Fri, 18 Aug 2006 16:29:02 -0400
From: TechNews <technews@private>
Subject: "Sober Warnings About e-Voting Systems"

[Source: Eric J. Sinrod, CNet (08/17/06) via ACM TechNews; 18 Aug 2006]
http://news.com.com/Sober+warnings+about+e-voting+systems/2010-1071_3-6106187.html

In its analysis of three of the most widely used electronic voting systems,
the Brennan Center for Justice at New York University found significant
security and reliability flaws in each of them that could compromise the
integrity of local, state, and national elections.  With sufficient
precautions at the state and local levels, the most serious vulnerabilities
can be addressed, but few jurisdictions have implemented the necessary
countermeasures to shore up their systems.  The study analyzed the Direct
Recording Electronic (DRE) system, which directly records a voter's choices
with a ballot that appears on the screen; DRE with Voter Verified Paper
Trail, which captures the vote both electronically and on paper; and
Precinct Optical Scan, which enables the voter to mark a ballot with a pen
and then carry it to a scanner.  It would be fairly easy for someone to
deploy software attack systems to alter vote counts or launch an attack on
the system with a wireless device.  New York and Minnesota are currently the
only two states that prohibit wireless components on all voting machines.
The Brennan Center report recommends automatic, routine audits that compare
electronic tallies with voter-verified paper records after every election.
The report also urges states to adopt wireless bans and randomly examine
machines on Election Day for viruses and worms.

------------------------------

Date: Fri, 18 Aug 2006 11:28:18 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: The FBI's Upgrade That Wasn't

[Source: Dan Eggen and Griff Witte, The FBI's Upgrade That Wasn't: $170
Million Bought an Unusable Computer System, *The Washington Post*, 18 Aug
2006, A01; PGN-ed]
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485_pf.html

It was late 2003, and a contractor, Science Applications International Corp
.  (SAIC), had spent months writing 730,000 lines of computer code for the
Virtual Case File (VCF), a networked system for tracking criminal cases that
was designed to replace the bureau's antiquated paper files and, finally,
shove J. Edgar Hoover's FBI into the 21st century.  It appeared to work
beautifully. Until Azmi, now the FBI's technology chief , asked about the
error rate.  Software problem reports numbered in the hundreds, and were
multiplying as engineers continued to run tests. Scores of basic functions
had yet to be analyzed.  "A month before delivery, you don't have SPRs,"
Azmi said. "You're making things pretty. . . . You're changing colors."

  [This is more on an old story that was foreordained a long time ago.  PGN]

------------------------------

Date: Sat, 12 Aug 2006 03:47:03 -0700
From: Lauren Weinstein <lauren@private>
Subject: Your Cable Company -- powered by the guy with the extension cord

Last night at around 2:15am (yup, everyone's just leaving the bars) my area
had a widespread power failure when someone wrapped themselves around a main
distribution line power pole (this is a Friday and Saturday night tradition
of course).  While LADWP started on it pretty quickly, power was not
restored for around seven hours.

That long an outage is enough to expose one of the serious weak points in
our telecom networks -- remotely situated batteries.  They don't last very
long without external charging power, and we already know that microcell
sites tend to go down quickly for this reason when power fails.

Early this morning when I started walking the area to see the effects, I
quickly found an unmarked white bucket truck with engine running, parked at
a nearby corner, with an orange extension cord running from its open hood to
the open cable backup power box on the nearby pole, containing what looked
like about three gel cells.

When I went over and talked to the friendly cable guy splicing wires on the
back of his truck, he told me that he wasn't even trying to charge the
batteries, all he could do was try to keep the system running from his truck
until power was restored.

Cable modems?  Cable VoIP?  Our whole world of modern cable telecom,
dependent on a guy with an extension cord and an old bucket truck.

I found it rather amusing, in a "sad commentary" sort of way.

Lauren Weinstein +1 (818) 225-2800 http://www.pfir.org/lauren
Moderator, PRIVACY Forum - http://www.vortex.com Blog: http://lauren.vortex.com

------------------------------

Date: Mon, 14 Aug 2006 18:17:22 +0300
From: "Amos Shapir" <amos083@private>
Subject: UK bank details sold in Nigeria

Bank account details belonging to thousands of Britons are being sold in
West Africa for less than £20 each, the BBC's Real Story programme has
found.  It discovered that fraudsters in Nigeria were able to find internet
banking data stored on recycled PCs sent from the UK to Africa.

  [http://news.bbc.co.uk/2/hi/business/4790293.stm]

------------------------------

Date: Sun, 13 Aug 2006 17:12:56 +0100
From: Neil Youngman <neil.youngman@private>
Subject: Another auditor's laptop stolen

Recently my wife received a letter from Ernst and Young, regarding the loss
of a laptop containing credit card information for customers of various
travel websites. I don't recall seeing it mentioned on RISKS, so I thought
I'd add it to your collection.

The letter states that "For the past several years, Ernst and Young has been
the auditor for IAN.com, a travel company which provides the hotel product
and booking technology to may leading travel websites." ...  "An Ernst and
Young employee's backpack containing his laptop computer was stolen from his
locked vehicle in the US." ...  "Following the theft we commenced an
internal investigation of this matter and determined that the stolen
computer contained certain customer information regarding some IAN.com
customer transactions primarily from the year 2004.  There were also a small
number of transactions from 2003 and 2002.  We believe the transaction
information may have included a transaction you made with IAN.com and,
specifically, that the information on the laptop may have included your
name, address and some credit or debit card information you provided.  "

The laptop required a password to use it. To date we have received no
information from law enforcement officials that any of the data stored on
the computer has been accessed by an unauthorised person or used improperly.
There is insufficient information in the letter for me to determine which
website was involved and which credit card might be affected.

Ernst and Young do say at the end "We have put in place enhanced security
procedures, including encrypting our laptop computers, to provide additional
protection for sensitive information and have taken other measures to
designed to protect against this type of incident happening again."

------------------------------

Date: Sun, 13 Aug 2006 13:29:40 EDT
From: MellorPeter@private
Subject: First conviction in UK for Wi-Fi hijack

Quoted from BBC News article:

"A recent court case, which saw a West London man fined =A3500 and sentenced
to 12 months' conditional discharge for hijacking a wireless broadband
connection, has repercussions for almost every user of wi-fi networks.

It is believed to be the first case of its kind in the UK, but with an
estimated one million wi-fi users around the country, it is unlikely to be
the last. "There are a lot of implications and this could open the
floodgates to many more such cases," said Phil Cracknell, chief technology
officer of security firm NetSurity."

Apparently, the convicted man had used his laptop from his car while parked
outside a house in which the resident was using an unsecured wi-fi
connection, over a period of three months.  Neighbours noticed him and
reported his behaviour to the police as suspicious.

For the full article, see:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/4721723.stm

Peter Mellor;  +44 (0)20 8459 7669  MellorPeter@private (new)

------------------------------

Date: Tue, 15 Aug 2006 10:43:07 -0400
From: "Dan Miller" <Dan.Miller@private>
Subject: Can't type? Your Dell laptop battery must be OK!

Dell has set up a website where you can check to see if your laptop battery
is one of the group being recalled, due to overheating.  See
https://www.dellbatteryprogram.com/batterymodels.aspx

If your laptop belongs to a certain subset of models, you need to find your
battery ID (printed on the battery itself). The code is of the format
zz-zzzzzz-zzzzz-zzz-zzzz; a combination of 20 numbers and uppercase
letters. If the last 5 characters of the second group match one of 36
combinations, you are directed to enter the entire ID to see if your battery
needs replacement. See https://www.dellbatteryprogram.com/Identify.aspx.

The form in question allows you to enter one or more 20-character codes and
hit a Submit button. If your battery is OK, the phrase "No need for
replacement" appears next to the entered ID. I don't know what it says if
your battery does need to be replaced.

Unfortunately, there appears to be absolutely no check to verify you entered
a proper ID. Apparently, battery AB-CDEFGH-IJKLM-NOP-QRST is OK, as is
00-000000-00000-000-0000, and ten random combinations of numbers and
letters.

So you'd better heed the warning at the bottom of the page to "Please verify
you entered your PPID correctly before submitting".  You can tell a zero
from a capital letter O if only one of them appears on a label, right?

http://www.nytimes.com/2006/08/14/technology/14cnd-battery.html?hp&ex=1155614400&en=499692c95b993103&ei=5094&partner=homepage

    [Of course, if you were injured in the process,
    you could call on the Pharma in the Dell.  E-EYE-E-I-O.  PGN!!!]

------------------------------

Date: Mon, 14 Aug 2006 04:01:46 +0000 (UTC)
From: tls@private (Thor Lancelot Simon)
Subject: Re: 3.1 million HSBC (Macintyre, RISKS-24.37)

To be, perhaps, all too kind, the claim is nonsense, and the fact that its
sole support is an argument about bombs at airports (which I've snipped) is
good reason to suspect as much as soon as you see it.  The "bomb" example is
an exercise in emotional manipulation through the presentation of an
immediate, vivid, highly aversive consequence, intended to trick the reader
into miscomputing the actual cost and benefit of the other problem it
accompanies (the "telling the news media about a security flaw" problem) for
emotional reasons.

To be clear, let's look at the actual ethical problem here in simple
consequentialist terms.  To believe that "you have a responsibility NOT
to be telling the news media", you have to believe that the negative
consequences of you telling the news media outweigh, for ever and ever
going forward from today-here-now, the positive consequences of you doing
so.

Is that really plausible?  Absent the specious "bomb" example, why
should we think so, when we have been given, as the conditions of the
problem, that "you report it to the institution and to law enforcement,
and they do not seem to take you seriously"?  That suggests that (at least)
whatever level of harm is currently occurring will continue indefinitely --
unless, that is, someone _else_ were to make a public disclosure, and thus
even more dramatically absolve you of this phantom 'responsibility' Al is
claiming that you have.  At some point in time, it is clear that the small
continuing harm of continual abuse of the security flaw would in fact far
outweigh the (allegedly) larger, very temporary harm of which your disclosure
of the flaw to the media would purportedly be the cause -- after which
disclosure, of course, all harm would stop, since fear of liability would
cause the institition to plug the hole.

The correct choice as a matter of consequentialist ethics is plainly to
continue to attract the correct attention from the appropriate authorities,
but to be prepared to publicly disclose the problem _before_ that small
continuing cost swamps the one-time cost of disclosure.  To claim that one
has some kind of absolute responsibility to not disclose such problems as a
matter of ethics is balderdash, and emotional appeals to examples about
ticking bombs do not (as they usually do not) help.

------------------------------

Date: Sat, 12 Aug 2006 20:24:32 -0700
From: Scott Peterson <scottp4@private>
Subject: Re: LA power outages (Jacobson, RISKS-24.37)

>World class first tier facility, two redundant grid hookups, backup battery
>array with two separate sets of diesel generators. Trucks full of diesel are
>on standby and the datacenter is run on each for 12 hours each month to make
>sure everything is working as it should.

I had a girlfriend who worked as a programmer for Carter Hawley Hale.  This
was a good sized California department store chain back in the 1980's.  They
built a huge data center in Orange County, CA.  They made the same kind of
plans for their mainframes.

Tied into multiple grids for power backup, got permission to use the cities
fire hydrant water system for cooling as backup to the regular water supply.
They thought they had everything covered.  Anyway, one day a car hit a
hydrant about a block away.  A valve that was supposed to stop backflushing
hadn't been installed properly and when the city tried to shut off the
hydrant break they found that the datacenter was pumping water from the city
lines into the emergency system with no way to shut it off without turning
off water to the whole data center.  They were down for about 4 days and it
was pretty disastrous.

------------------------------

Date: Thu, 17 Aug 2006 10:18:27 -0400
From: Nick Simicich <njs@private>
Subject: Re: Letter on cybersecurity from the president

After publishing this deprecation of the current administration from the
loyal opposition, our moderator makes a weak call for "a similar message
from a republican".

I have a further request: How about not publishing things that are obviously
political diatribes masked as legitimate technical criticisms and comments?

It does bother me that the moderators seem to be unable to tell a polemic,
complete with vague, denigrative suggestions from a legitimate technical
criticism.  I won't bother with a point by point response, that would give
too much attention to a content-free political speech.

One thing does scare me about Reid's polemic.  Toward the end, flag firmly
in hand, he refers to 911 and then makes the following comment:

> it is critical that the American people trust that their
> government is taking every possible step to protect them.

No, every reasonable and constitutional step, not every possible step.  We
have already had a series of unreasonable steps, like no nail clippers on
airplanes, and losing your items rather than having them mailed or checked
through as punishment for accidentally bringing them (still in effect).

The "every possible" language is tossed about by both sides, and it is
tossed about by people who probably are not affected by either the measures
they take or their results, short or long term.  Yes, we are at war, and at
war, you take some special actions.  -- Blog:
http://majordomo.squawk.com/njs/blog/blogger.html Atom:
http://majordomo.squawk.com/njs/blog/atom.xml RSS:
http://majordomo.squawk.com/njs/blog/atom.rdf

------------------------------

Date: Thu, 17 Aug 2006 09:07:42 -0800
From: Rob Slade <rMslade@private>
Subject: REVIEW: "Risk Management Solutions ... Compliance, Quarterman

BKRMSSOX.RVW   20060722

"Risk Management Solutions for Sarbanes-Oxley Section 404 IT
Compliance", John S. Quarterman, 2006, 0-7645-9839-2,
U$50.00/C$64.99/UK#31.99
%A   John S. Quarterman
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-7645-9839-2
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764598392/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0764598392/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764598392/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   278 p.
%T   "Risk Management Solutions for Sarbanes-Oxley Section 404 IT
      Compliance"

There is a problem with the title, quite apart from the fact that it is just
too long.  This book is not about "Sarbanes-Oxley Section 404" (which is in
the largest type on the front cover) as such.  In the preface, Quarterman
explains that this work addresses risk management, and, specifically, those
risks related to the Internet.  The text is intended for a wide ranging
audience: C-level executives who need to manage and report risk, IT
professionals needing information about non-technical control of risk,
insurance and financial organizations needing to make monetary assessments
of risks and benefits, employees of Internet related companies, and business
risk management students.

Having been through the publishing process myself, I know that the title and
cover are not Quarterman's fault: publishers get to choose.  (And, somewhere
in Wiley, there is a marketing person just bouncing up and down with glee at
finally being able to publish a SOX book.)  On the other hand, the title is
not completely misleading: SOX 404 is about the proper assessment and
reporting of potential risks, and pretty much every company these days has
to factor in the perils of dependence upon the Internet.

Chapter one is an introduction, noting that, contrary to standard risk
assessment ideology, some threats are beyond the control of the enterprise,
and not subject to any kind of technical safeguards.  Perils may be too
large for the company (some financial losses are simply too great for an
individual company to survive) and difficult to quantify.  Quarterman points
out that, rather than a fixed value resource, the Internet may be more
similar in valuation to a stock option, or other financial instrument, and
doesn't fit older cost/benefit models.  A variety of hazards from and to the
Internet are listed in chapter two.  Solutions are addressed in chapter
three, and the author also examines proposed solutions that do not work.
For example, the difficulties of the Internet are frequently blamed on the
fact that there is no central authority and management, and it has often
been proposed to implement (or impose) such centralized command structures
on the net.  However, Quarterman demonstrates that decentralization has
worked in a number of cases, including a number of Internet applications.

Chapter four, is problematic: options for risk transfer are discussed
before the concept is raised, and although the title talks about
strategy it is hard to pick strategic measures out of all the tactical
measures.  The work of Basel II, with the concepts of credit and
operational risk calculations, are outlined in chapter five.  Examples
of risks that are troublesome to quantify are given in chapter six.

Chapter seven turns to large enterprises, noting some threats that are
somewhat intrinsic to the breed.  Quarterman doesn't stop with the
"trite but true": some of the perils are hubris and a reputation for
bullying behaviour.  Small enterprises might not find the same kind of
help in chapter eight: the material here talks more about
opportunities and benefits.  Various aspects of bonding, insuring, and
service level agreements (SLAs) for Internet service providers are
examined in chapter nine.  There is an interesting discussion of
third-party bonding, and the advantages that automatically accrue to
all parties under such a situation.  Chapter ten turns to the
government, and the ways in which it can, and can't, help.  Numerous
aspects of insurance; policy language, legal precedents, new concepts,
and the lack of hard data for the effectiveness of the new
instruments; are reviewed in chapter eleven to address the
possibilities, limits, and restrictions of new forms fo risk
transference.  Chapter twelve summarizes the reasons why Internet risk
is different than others.

This book has a rushed feeling to it, and there are a number of odd errors.
The "Acknowledgements" section is, instead, a repeat of the first page of
the preface.  Text and phrases are repeated ("cyberhurricanes"), often
without definition and sometimes in contradictory fashion.  There is, for
example, an amount of $100 billion for risk from the Internet.  This number
is repeated on pages xxiii, 1, 30, 146, and 256 but seems to be used in one
place for a global figure, and in another for the risk to an individual
company.  The structure of individual chapters can be difficult as well: it
is hard to determine threads of specific arguments out of the (admittedly
intriguing) stream of information.

There are three threads that are repeated again and again in the book:
diversity, insurance, and mapping of the Internet.  But there is much
more: Quarterman does not address the standard picture of risk
management, since he is pointing out that the Internet throws our
usual tools for quantified risk analysis into disarray.  Instead he
notes areas that have been neglected, because of the difficulty of
fitting them into standard models, and proposes new, if somewhat
vague, risk paradigms.  This is not a text that can be used as a
reference for ordinary threat analysis, but should be thoroughly
studied by anyone involved with protecting information (and
particularly communications) for a large company, anyone with a major
involvement in the Internet itself, and anyone responsible for
business risks in a rapidly changing environment.

copyright Robert M. Slade, 2006   BKRMSSOX.RVW   20060722
rslade@private     slade@private     rslade@private
http://victoria.tc.ca/techrev/rms.htm

------------------------------

Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 24.38
************************



This archive was generated by hypermail 2.1.3 : Fri Aug 18 2006 - 16:14:56 PDT